CVE-2026-27663
Received Received - Intake
Denial-of-Service in Siemens CPCI85 and RTUM85 via Resource Exhaustion

Publication date: 2026-03-26

Last updated on: 2026-04-14

Assigner: Siemens AG

Description
A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.10), RTUM85Β RTU Base (All versions < V26.10). The affected application contains denial-of-service (DoS) vulnerability. The remote operation mode is susceptible to a resource exhaustion condition when subjected to a high volume of requests. Sending multiple requests can exhaust resources, preventing parameterization and requiring a reset or reboot to restore functionality.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27663
EUVD
EUVD-2026-16179
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
siemens cpci85 to 26.10 (exc)
siemens rtum85 to 26.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-27663 is a denial-of-service (DoS) vulnerability found in Siemens CPCI85 Central Processing/Communication and RTUM85 RTU Base products in all versions prior to V26.10.

The vulnerability occurs in the remote operation mode where a high volume of requests can cause resource exhaustion. This means that sending multiple requests can deplete system resources, preventing the system from performing parameterization and requiring a reset or reboot to restore normal functionality.

It is classified under CWE-770: Allocation of Resources Without Limits or Throttling.

Impact Analysis

This vulnerability can impact you by causing a denial-of-service condition in affected Siemens devices. When exploited, the system's resources can be exhausted by a high volume of remote requests, which prevents normal operations such as parameterization.

As a result, the affected device may become unresponsive and require a reset or reboot to restore functionality, potentially leading to downtime or disruption of critical services.

Detection Guidance

This vulnerability is a denial-of-service (DoS) caused by resource exhaustion when the affected devices are subjected to a high volume of requests in remote operation mode.

Detection would involve monitoring for unusual or excessive request traffic to the CPCI85 or RTUM85 devices, which may lead to resource exhaustion and loss of parameterization capability.

Specific commands or tools to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The primary mitigation step is to update the affected firmware to version V26.10 or later, as this resolves the vulnerability.

Additional recommended measures include protecting network access to the affected devices using firewalls, network segmentation, and VPNs.

Configuring devices according to operational guidelines and ensuring supervision of the update process by trained personnel are also advised.

Operators of critical power systems should ensure multi-level redundant secondary protection schemes to minimize cyber incident risks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27663. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart